US20080244736A1 - Model-based access control - Google Patents

Model-based access control Download PDF

Info

Publication number
US20080244736A1
US20080244736A1 US11/694,014 US69401407A US2008244736A1 US 20080244736 A1 US20080244736 A1 US 20080244736A1 US 69401407 A US69401407 A US 69401407A US 2008244736 A1 US2008244736 A1 US 2008244736A1
Authority
US
United States
Prior art keywords
model
abstract
user
resource
component
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/694,014
Inventor
Butler Lampson
Ravindra Nath Pandya
Paul J. Leach
Muthukrishnan Paramasivam
Carl M. Ellison
Charles William Kaufman
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Microsoft Corp filed Critical Microsoft Corp
Priority to US11/694,014 priority Critical patent/US20080244736A1/en
Assigned to MICROSOFT CORPORATION reassignment MICROSOFT CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: LEACH, PAUL J, PANDYA, RAVI, ELLISON, CARL M., Kaufman, Charles William , LAMPSON, BUTLER, PARAMASIVAM, MUTHUKRISHNAN
Assigned to MICROSOFT CORPORATION reassignment MICROSOFT CORPORATION CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNOR RAVI PANDYA'S NAME TO BE HIS FULL NAME OF RAVINDRA NATH PANDYA PREVIOUSLY RECORDED ON REEL 019100 FRAME 0300. ASSIGNOR(S) HEREBY CONFIRMS THE CORRECTIVE ASSIGNMENT. Assignors: PANDYA, RAVINDRA NATH, LEACH, PAUL J, ELLISON, CARL M., Kaufman, Charles William , LAMPSON, BUTLER, PARAMASIVAM, MUTHUKRISHNAN
Priority to CN200880010688A priority patent/CN101652767A/en
Priority to EP08743601A priority patent/EP2132642A4/en
Priority to PCT/US2008/055299 priority patent/WO2008121471A1/en
Publication of US20080244736A1 publication Critical patent/US20080244736A1/en
Assigned to MICROSOFT TECHNOLOGY LICENSING, LLC reassignment MICROSOFT TECHNOLOGY LICENSING, LLC ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MICROSOFT CORPORATION
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Definitions

  • Computers and computer systems are widely utilized in a multitude of environments (e.g., business, personal, and so forth). Individuals that perform functions with computers and/or computer systems (e.g., create, modify, store, delete, data entry, and so on) generally are provided access rights that allow the individual to perform various functions or use various applications but does not allow other functions to be performed and/or applications to be utilized. For example, a supervisor might be given access to modify employee records and to view employee compensation packages while a subordinate might not be given access to these types of information.
  • a supervisor might be given access to modify employee records and to view employee compensation packages while a subordinate might not be given access to these types of information.
  • Administrators and other users of a computer system can utilize an infrastructure to implement and mange the various access rights. This requires access permissions to be configured for a multitude of resources and a multitude of individuals. Configuring the disparate computers, settings, and other information is not only time consuming but also requires the administrator to remember each setting. In addition, the administrator should provide similar individuals (e.g., individuals performing the same work function) with similar, if not identical, access rights. As changes are made to each individual's access rights, the original intent of such access rights might be lost as a result of errors occurring when access rights are created and/or modified, or as a result of a number of incorrect changes being made in order to create a desired access right setting, especially when initially it is not known how to manipulate the setting. Thus, users performing a similar function might have different access rights, which can potentially cause problems, especially if a user has access to something that they should not have access to.
  • access management today involves configuring low-level settings specific to resource managers and has little resemblance to the “intent” of the policy author. Such settings are difficult to maintain and hard to reconcile with the policy intent once the configuration is complete. Moreover, when the same policy is to be applied repeatedly over many domains, it requires that low-level configurations be made repeatedly. This is expensive to manage, and furthermore offers little support in the form of querying and comprehending the configured policy with regard to the intent.
  • An abstract user role model and/or an abstract resource model are created that can be modular and utilized across many different applications.
  • Abstracted security policies can be associated with each user role model, making such model and associated access rights uniform for a particular role or function.
  • a specific individual or more than one individual can be associated with each user role model and permissions granted to such individuals can be based on the permissions granted to the user role model.
  • one or more embodiments comprise the features hereinafter fully described and particularly pointed out in the claims.
  • the following description and the annexed drawings set forth in detail certain illustrative aspects and are indicative of but a few of the various ways in which the principles of the embodiments may be employed.
  • Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawings and the disclosed embodiments are intended to include all such aspects and their equivalents.
  • FIG. 1 illustrates a system that provides model-based access control.
  • FIG. 2 illustrates a system that can facilitate model-based access control.
  • FIG. 3 illustrates a view of a model for a subset of a system.
  • FIG. 4 illustrates an exemplary manual administration of assigning access rights to a multitude of users.
  • FIG. 5 illustrates an exemplary system that can be utilized with the disclosed embodiments.
  • FIG. 6 illustrates another system that can be utilized with the disclosed embodiments.
  • FIG. 7 illustrates the extensible nature of the disclosed embodiments.
  • FIG. 8 illustrates a simplified template for a family personal computer or domain.
  • FIG. 9 illustrates a method for providing a model based access control that is modular.
  • FIG. 10 illustrates a block diagram of a computer operable to execute the disclosed embodiments.
  • FIG. 11 illustrates a schematic block diagram of an exemplary computing environment operable to execute the disclosed embodiments.
  • a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer.
  • a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer.
  • an application running on a server and the server can be a component.
  • One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.
  • exemplary is used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs.
  • the one or more embodiments may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof to control a computer to implement the disclosed embodiments.
  • article of manufacture (or alternatively, “computer program product”) as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media.
  • computer readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk (CD), digital versatile disk (DVD) . . . ), smart cards, and flash memory devices (e.g., card, stick).
  • a carrier wave can be employed to carry computer-readable electronic data such as those used in transmitting and receiving electronic mail or in accessing a network such as the Internet or a local area network (LAN).
  • LAN local area network
  • System 100 provides a security policy that can be abstracted from resource manager primitives and can specify a policy with higher-level abstractions that can mirror the intent of a policy author. Additionally or alternatively, system 100 can facilitate creating and applying multiple instances of a security policy across a variety of different authorization contexts. System 100 can further be configured to specify a security policy in nested models.
  • System 100 can be configured to maintain the policies and preserve such policies to a group of users that have substantially the same access rights.
  • system 100 includes an abstraction component 102 that can be configured to abstract from underlying implementations of various applications and parameters a security policy to protect resources. Based in part on the security policy, abstraction component 102 can build one or more abstract user models, one or more abstract resource models, or both abstract user models and abstract resource models.
  • the abstract user model might be an abstract of a particular user role or another means of identifying similar users that should have access to similar resources to create a model (e.g., manufacturing supervisor, bank teller, toll-road booth operator, librarian, and so forth).
  • the abstract user model might be a model of an organization of resources and users. For example, it can be a hierarchy of resources (or scopes) related to a hierarchy of users in a group.
  • Abstraction component 102 can be independent of the type of mechanism or configuration actually used to protect resources (e.g., programs, applications, formats, files, and so forth) and/or the user the actually accesses the resources. For example, regardless of the mechanism utilized, persons that need access to financial documents should be allowed access to those financial documents. Through utilization of abstraction component 102 , an administrator or other person responsible for persisting a security policy does not have to manually perform low-level configuration for each user and/or resource but may modify the user model and/or the resource model.
  • resources e.g., programs, applications, formats, files, and so forth
  • abstraction component 102 can be configured to help preserve the policy intent. Since the security policy is abstracted from the resource management primitive, an abstraction can be provided that can allow policy authors to specify one or more policies in a manner that is closer to the actual intent (e.g., such as a codified intent) rather than the underlying implementation that protects the resources.
  • an abstraction can be provided that can allow policy authors to specify one or more policies in a manner that is closer to the actual intent (e.g., such as a codified intent) rather than the underlying implementation that protects the resources.
  • abstraction component 102 can be configured to provide repeatability of the abstract model configuration.
  • the abstract models e.g., user, resource
  • the abstract models can be modular and can be applied across different applications or through various and disparate roles and functions.
  • a national bank might have branches and would like to ensure that each branch has the same kind of configuration (e.g., a manager has more permissions than an assistant manager and a teller has low-level permissions).
  • These resources, roles and associated permissions are the same for each branch, although a different person is performing the corresponding function (e.g., manager, teller).
  • repeatability of the permission configuration can be persisted through all the branches.
  • An assignment component 104 can be configured to identify or designate one or more specific users to an abstract user model or to more than one abstract user model
  • a role can be a bank teller, a bank supervisor, a machine shop foreman, a receptionist, a child, an adult, and so forth.
  • Assignment component 104 can be configured to maintain information relating to why a user role or group of user roles has access to certain permissions and/or can translate an abstract model into concrete terms thereby assigning permissions to the users for use of the concrete resources.
  • Assignment component 104 can further be configured to assign one or more resources to the abstract resource models.
  • an authorization component 106 that can be configured to set permissions (e.g., name specific users/groups with their rights) on the concrete resources based in part on the model. At substantially the same time as the user is identified and placed into the desired group or groups, the appropriate permissions and memberships can be automatically created as a consequence of identifying the user with a particular user model.
  • permissions e.g., name specific users/groups with their rights
  • authorization component 106 can be configured to maintain information relating to why a specific individual has access to various permissions. If a user performs different roles, the user can be given permissions relating to each of those roles, depending on the task being performed. For example, if the user is a receptionist but also fills in when the payroll clerk is out, this user might have both permissions (receptionist and payroll clerk). However, if the user is not covering for the payroll clerk, the permissions relating to payroll functions can be disabled and only the receptionist permissions are allowed during those times.
  • FIG. 2 illustrates a system 200 that can facilitate model-based access control.
  • System 200 can be configured to simplify an authorization policy and implementation of that authorization policy.
  • System 200 can be configured to conceal the complexity of the underlying implementation from users and administrators. In some embodiments, users and administrators can access the underlying implementation if desired.
  • System 200 can mitigate repetitive manual effort by an administrator when complex policies apply to multiple objects.
  • System 200 can also retain information relating to a policy, making it possible to determine the parameters of the policy even if there has been a long history of incremental changes.
  • System 200 includes an abstraction component 202 that can be configured to abstract or conceptualize from underlying implementations of various applications and parameters a security policy to protect resources and to create abstract user models, abstract resource models, or both models. Also included is an assignment component 204 that can be configured to correlate the abstracted security policies and a user model with a specific user or users and a resource model with a specific resource or resources. Also included in system 200 is a permission component 206 that can be configured automatically set permissions on the specific resources based on the model.
  • Abstraction component 202 can include a resource module 208 and a function module 210 that independently or in conjunction acquire a model of the various resources, users and permissions as viewed by an administrator.
  • Resource module 208 can include information relating to the various resources available and create an abstract resource model based on such available resources.
  • Function module 210 can include information relating to the potential roles (e.g., user) through which people can have access (e.g., human resource manager, stock clerk, and so forth).
  • Abstraction component 202 can (e.g., through resource module 208 and/or function module 208 ) provide a mechanism or vocabulary that allows the model to be specified in abstract terms.
  • abstraction component 202 does not focus on specific resources being protected but on a conceptual organization of these resources and a conceptual organization of users and the kinds of permissions for each user on the resources.
  • Assignment component 204 can include a scope module 212 and a role module 214 .
  • the scope module 212 can include or can access a collection of resources and a subset of these resources can be assigned to one or more abstract resource models 216 , labeled Resource 1 through Resource K , where K is an integer.
  • a role module 214 that can access or maintain a collection of principals that can be assigned to one or more abstract user models. These principles can be users 218 or a user roles, labeled User 1 through User N , where N is an integer.
  • the model created by system 200 can be populated with specific users and/or resources (e.g., disk files, databases, other things specified in the model).
  • modular concepts can be configured to create nested models.
  • Security policies can be specified in these nested modules.
  • a model can be specified for access control and that model can be used as a component in building models for bigger systems.
  • models can be used in other models or sub-models and used in a modular manner. For example, there can be templates for each bank branch and a head branch in each city. There can be a model specifying who is allowed to designate a back-up manager. However, the branch itself is not modeled or invented to describe the branch. Instead, a branch model already built can be reused and combined with the back-up manager module.
  • FIG. 3 illustrates a view of a model 300 for a subset of a system.
  • This model view 300 can be from the perspective of an administrator, a user and/or entity that is responsible for assigning specific individuals to specific roles or accesses (e.g., security accesses).
  • Illustrated are two project repositories 302 and 304 , which can represent two projects being worked on concurrently within an organization.
  • the repositories 302 , 304 can represent other items, jobs, tasks, and so forth that have a multitude of users that should be assigned different access rights as it relates to the item, jobs, tasks, and so on.
  • These repositories 302 , 304 can be scopes for resources, one for the first project 302 and one for the second project 304 .
  • Each project 302 , 304 can have various roles or a logical class of users assigned to perform various functions at it relates to the project 302 , 304 .
  • the first project 302 has two roles, which can be developers 306 and project managers 308 .
  • the second project 304 also has two similar roles, developers 306 and project managers 308 .
  • more than one user can be assigned to each role and the roles can be utilized across repositories 302 , 304 , as represented by roles 306 and 308 .
  • a group for each role can be created. This group can include users who are performing the functions of that role for the project.
  • a scope is a collection of resources and a role is a collection of principals.
  • an administrator places a user 310 into the desired group or groups and the appropriate permissions and memberships are automatically created as a consequence of identifying the user 308 with a particular role 306 , 308 . That is to say, for each repository 302 , 304 , a multitude of roles 306 and 308 can be assigned, which may be different roles and/or a different number of roles than those illustrated and described. One or more individuals are assigned to each role and the corresponding access rights for that role are applied to that user. Such assignment can be based on a unique identifier associated with that individual, such as a user id, a user password, or based on other identifiers. As illustrated, the user 310 is assigned to a developer role 306 in the first repository 302 and a project manager 308 in the second repository 304 .
  • FIG. 4 illustrates an exemplary manual administration 400 of assigning access rights to a multitude of users.
  • This example is similar to the above example and includes a first project 402 and a second project 404 .
  • a developer 406 and a project manager 408 are identified or associated with each project 402 , 404 .
  • a user 410 might be responsible for the role of developer 408 in the first project and the role of project manager 406 in the second project 404 .
  • a server 412 is utilized for each role.
  • Each user or group of users 406 , 408 would be manually associated with one or more operations, such as an edit permission 414 and a read permission 416 , for example.
  • Each permission 414 , 416 is manually associated with a user or group of users 406 , 408 , and for each role (e.g., developer 406 and project manager 408 ) the permission would have to be manually configured a multitude of times.
  • the disclosed embodiments can mitigate repetitive manual effort of the administrator by providing modular roles that can be utilized across multiple projects.
  • the disclosed embodiments can make it simple to determine a policy and its purpose after a long history of incremental changes (e.g., changes to access rights).
  • the system can include a template, illustrated by dotted line 502 , and an instance, illustrated by dotted line 504 .
  • the template 502 and its instance 504 can be referred to as a leaf scope that can correspond to an instance of a service and a subset of its resources.
  • the scope template 502 is created that can define the roles for the service.
  • a role can determine the permissions that a user can have when performing the functions of that role.
  • the roles of FIG. 5 are illustrated as contributor 506 and reader or viewer 508 .
  • Each role 506 , 508 can be tailored to enable a user or group of users to perform a task (e.g., bank teller, HR benefits clerk, contributor or viewer of documents, and so forth).
  • the contributor 506 can edit documents and, as illustrated, can also be a viewer 508 , which is an example of role nesting.
  • the predefined roles 506 , 508 can help to determine a combination of permissions that should be tested to make sure they correctly enable the desired tasks and conform to an authorization policy within the scope.
  • the scope template 502 is instantiated to create a scope.
  • the same template 502 can be utilized to create many scopes, as illustrated in FIG. 5 .
  • the contributor 506 and viewer 508 roles have the same permissions for the resource in the scope that the corresponding role template had in the template.
  • a user 510 is illustrated as being placed into the viewer role.
  • Each scope can precisely mirror the scope template and has the resources, roles, and permissions defined in the template 502 .
  • FIG. 6 illustrates another system 600 that can be utilized with the disclosed embodiments.
  • System 600 includes a project repository 602 that can include at least two subparts, illustrated as specifications 604 and sources 606 .
  • a project manager role 608 can be assigned to a contributor role 610 in the specification server 604 and a viewer or reader role 612 in the source server 606 .
  • a part's role can include the interface that it exports to containing scopes.
  • the smallest parts are actual services and include composite parts, such as project contained subparts. These can be nested as deeply as needed to provide the various roles and sub-roles.
  • FIG. 7 illustrates the extensible nature of the disclosed embodiments. Illustrated is a template 700 for a bank teller application to demonstrate the extensible policy in a business application.
  • a low role 702 and a high role 704 can be applied to accounts 706 that a bank services.
  • Each role 702 , 704 can have a corresponding permission to transfer amounts, such as $1000 for the low role 702 and $100,000 for the high role.
  • a teller role 708 and a manger role 710 can be assigned to the low accounts and the high accounts, respectively.
  • An administrator or other user responsible for assigning the roles can add to the application logic the amount value for the current transaction and a policy system can evaluate the express.
  • the roles are modular and the policy can be updated through the model-based access control without changing the application code.
  • FIG. 8 illustrates a simplified template for a family personal computer or domain. Module-based access control can be utilized for enterprise applications and it can also make authorization less complicated for small businesses and consumers. It should be noted that FIG. 8 illustrates only a sub-portion of a family domain for purposes of simplicity.
  • a desktop for a single machine might have several predefined roles (e.g., abstract user models), such as an adult 802 , a child 804 , and a friend 806 . Also included can be several predefined scopes, such as household 808 , community 810 , and a user scope template 812 . These scopes 808 , 810 , 812 can be built from the same basic scope template. This scope template appears four times in the figure.
  • Adult 802 can be an owner 814 and child 804 can be a contributor on the household scope 808 and the community scope 810 .
  • Each user can have a buddy list and buddies 816 are friends for the castle 818 and in addition are readers 820 on the user's shared sub-scope. It should be noted that this is a simple example and a small business can have several more parts.
  • FIG. 9 illustrates a method 900 for providing a model based access control that is modular. While, for purposes of simplicity of explanation, the methodologies are shown and described as a series of blocks, it is to be understood and appreciated that the disclosed embodiments are not limited by the number or order of blocks, as some blocks may occur in different orders and/or concurrently with other blocks from what is depicted and described herein. Moreover, not all illustrated blocks may be required to implement the methodologies described hereinafter. It is to be appreciated that the functionality associated with the blocks may be implemented by software, hardware, a combination thereof or any other suitable means (e.g. device, system, process, component).
  • an abstract security policy is created.
  • This security policy can be created in such a manner that it is independent from the type of mechanism or configuration actually used to protect resources (e.g., programs, applications, formats, files, and so forth).
  • An abstract user model and/or an abstract resource model can be created or developed at 904 . These models are not specific to a particular user and/or a particular resource but relates to different resources, roles or functions and the access control that should be authorized for various resources, users, or user roles.
  • a user model might be for a supervisor that should have securities policies that relates to a subordinate's functions. In such a manner, the supervisor should be given the abstracted security policy for the supervisor and the abstracted security policy for the subordinate.
  • more than one user model can be associated with more than one abstract security policy by nesting the models in such a manner that the model can be specified for access control and that model can be used as a component in building models for bigger systems.
  • the association, at 906 also allows for modularity in that the abstract user model and associated abstract security policy or abstract resource model can be used across applications or in different application.
  • Permissions can be automatically set on specific resources based on the model, at 1008 .
  • more than one individual is associated with either or both the abstracted user model and the abstracted security policy.
  • FIG. 10 there is illustrated a block diagram of a computer operable to execute the disclosed architecture.
  • FIG. 10 and the following discussion are intended to provide a brief, general description of a suitable computing environment 1000 in which the various aspects can be implemented. While the one or more embodiments have been described above in the general context of computer-executable instructions that may run on one or more computers, those skilled in the art will recognize that the various embodiments also can be implemented in combination with other program modules and/or as a combination of hardware and software.
  • program modules include routines, programs, components, data structures, etc., that perform particular tasks or implement particular abstract data types.
  • inventive methods can be practiced with other computer system configurations, including single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively coupled to one or more associated devices.
  • the illustrated aspects may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network.
  • program modules can be located in both local and remote memory storage devices.
  • Computer-readable media can be any available media that can be accessed by the computer and includes both volatile and nonvolatile media, removable and non-removable media.
  • Computer-readable media can comprise computer storage media and communication media.
  • Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data.
  • Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer.
  • Communication media typically embodies computer-readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and includes any information delivery media.
  • modulated data signal means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
  • communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of the any of the above should also be included within the scope of computer-readable media.
  • the exemplary environment 1000 for implementing various aspects includes a computer 1002 , the computer 1002 including a processing unit 1004 , a system memory 1006 and a system bus 1008 .
  • the system bus 1008 couples system components including, but not limited to, the system memory 1006 to the processing unit 1004 .
  • the processing unit 1004 can be any of various commercially available processors. Dual microprocessors and other multi-processor architectures may also be employed as the processing unit 1004 .
  • the system bus 1008 can be any of several types of bus structure that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures.
  • the system memory 1006 includes read-only memory (ROM) 1010 and random access memory (RAM) 1012 .
  • ROM read-only memory
  • RAM random access memory
  • a basic input/output system (BIOS) is stored in a non-volatile memory 1010 such as ROM, EPROM, EEPROM, which BIOS contains the basic routines that help to transfer information between elements within the computer 1002 , such as during start-up.
  • the RAM 1012 can also include a high-speed RAM such as static RAM for caching data.
  • the computer 1002 further includes an internal hard disk drive (HDD) 1014 (e.g., EIDE, SATA), which internal hard disk drive 1014 may also be configured for external use in a suitable chassis (not shown), a magnetic floppy disk drive (FDD) 1016 , (e.g., to read from or write to a removable diskette 1018 ) and an optical disk drive 1020 , (e.g., reading a CD-ROM disk 1022 or, to read from or write to other high capacity optical media such as the DVD).
  • the hard disk drive 1014 , magnetic disk drive 1016 and optical disk drive 1020 can be connected to the system bus 1008 by a hard disk drive interface 1024 , a magnetic disk drive interface 1026 and an optical drive interface 1028 , respectively.
  • the interface 1024 for external drive implementations includes at least one or both of Universal Serial Bus (USB) and IEEE 13104 interface technologies. Other external drive connection technologies are within contemplation of the one or more embodiments.
  • the drives and their associated computer-readable media provide nonvolatile storage of data, data structures, computer-executable instructions, and so forth.
  • the drives and media accommodate the storage of any data in a suitable digital format.
  • computer-readable media refers to a HDD, a removable magnetic diskette, and a removable optical media such as a CD or DVD, it should be appreciated by those skilled in the art that other types of media which are readable by a computer, such as zip drives, magnetic cassettes, flash memory cards, cartridges, and the like, may also be used in the exemplary operating environment, and further, that any such media may contain computer-executable instructions for performing the methods disclosed herein.
  • a number of program modules can be stored in the drives and RAM 1012 , including an operating system 1030 , one or more application programs 1032 , other program modules 1034 and program data 1036 . All or portions of the operating system, applications, modules, and/or data can also be cached in the RAM 1012 . It is appreciated that the various embodiments can be implemented with various commercially available operating systems or combinations of operating systems.
  • a user can enter commands and information into the computer 1002 through one or more wired/wireless input devices, e.g., a keyboard 1038 and a pointing device, such as a mouse 1040 .
  • Other input devices may include a microphone, an IR remote control, a joystick, a game pad, a stylus pen, touch screen, or the like.
  • These and other input devices are often connected to the processing unit 1004 through an input device interface 1042 that is coupled to the system bus 1008 , but can be connected by other interfaces, such as a parallel port, an IEEE 1394 serial port, a game port, a USB port, an IR interface, etc.
  • a monitor 1044 or other type of display device is also connected to the system bus 1008 through an interface, such as a video adapter 1046 .
  • a computer typically includes other peripheral output devices (not shown), such as speakers, printers, etc.
  • the computer 1002 may operate in a networked environment using logical connections through wired and/or wireless communications to one or more remote computers, such as a remote computer(s) 1048 .
  • the remote computer(s) 1048 can be a workstation, a server computer, a router, a personal computer, portable computer, microprocessor-based entertainment appliance, a peer device or other common network node, and typically includes many or all of the elements described relative to the computer 1002 , although, for purposes of brevity, only a memory/storage device 1050 is illustrated.
  • the logical connections depicted include wired/wireless connectivity to a local area network (LAN) 1052 and/or larger networks, e.g., a wide area network (WAN) 1054 .
  • LAN and WAN networking environments are commonplace in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network, e.g., the Internet.
  • the computer 1002 When used in a LAN networking environment, the computer 1002 is connected to the local network 1052 through a wired and/or wireless communication network interface or adapter 1056 .
  • the adaptor 1056 may facilitate wired or wireless communication to the LAN 1052 , which may also include a wireless access point disposed thereon for communicating with the wireless adaptor 1056 .
  • the computer 1002 can include a modem 1058 , or is connected to a communications server on the WAN 1054 , or has other means for establishing communications over the WAN 1054 , such as by way of the Internet.
  • the modem 1058 which can be internal or external and a wired or wireless device, is connected to the system bus 1008 through the serial port interface 1042 .
  • program modules depicted relative to the computer 1002 can be stored in the remote memory/storage device 1050 . It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers can be used.
  • the computer 1002 is operable to communicate with any wireless devices or entities operatively disposed in wireless communication, e.g., a printer, scanner, desktop and/or portable computer, portable data assistant, communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone.
  • any wireless devices or entities operatively disposed in wireless communication e.g., a printer, scanner, desktop and/or portable computer, portable data assistant, communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone.
  • the communication can be a predefined structure as with a conventional network or simply an ad hoc communication between at least two devices.
  • Wi-Fi Wireless Fidelity
  • Wi-Fi is a wireless technology similar to that used in a cell phone that enables such devices, e.g., computers, to send and receive data indoors and out; anywhere within the range of a base station.
  • Wi-Fi networks use radio technologies called IEEE 802.11 (a, b, g, etc.) to provide secure, reliable, fast wireless connectivity.
  • IEEE 802.11 a, b, g, etc.
  • a Wi-Fi network can be used to connect computers to each other, to the Internet, and to wired networks (which use IEEE 802.3 or Ethernet).
  • Wi-Fi networks operate in the unlicensed 2.4 and 5 GHz radio bands, at an 11 Mbps (802.11a) or 54 Mbps (802.11b) data rate, for example, or with products that contain both bands (dual band), so the networks can provide real-world performance similar to the basic 10BaseT wired Ethernet networks used in many offices.
  • the system 1100 includes one or more client(s) 1102 .
  • the client(s) 1102 can be hardware and/or software (e.g., threads, processes, computing devices).
  • the client(s) 1102 can house cookie(s) and/or associated contextual information by employing the various embodiments, for example.
  • the system 1100 also includes one or more server(s) 1104 .
  • the server(s) 1104 can also be hardware and/or software (e.g., threads, processes, computing devices).
  • the servers 1104 can house threads to perform transformations by employing the various embodiments, for example.
  • One possible communication between a client 1102 and a server 1104 can be in the form of a data packet adapted to be transmitted between two or more computer processes.
  • the data packet may include a cookie and/or associated contextual information, for example.
  • the system 1100 includes a communication framework 1106 (e.g., a global communication network such as the Internet) that can be employed to facilitate communications between the client(s) 1102 and the server(s) 1104 .
  • a communication framework 1106 e.g., a global communication network such as the Internet
  • Communications can be facilitated through a wired (including optical fiber) and/or wireless technology.
  • the client(s) 1102 are operatively connected to one or more client data store(s) 1108 that can be employed to store information local to the client(s) 1102 (e.g., cookie(s) and/or associated contextual information).
  • the server(s) 1104 are operatively connected to one or more server data store(s) 1110 that can be employed to store information local to the servers 1104 .
  • the terms (including a reference to a “means”) used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (e.g., a functional equivalent), even though not structurally equivalent to the disclosed structure, which performs the function in the herein illustrated exemplary aspects.
  • the various aspects include a system as well as a computer-readable medium having computer-executable instructions for performing the acts and/or events of the various methods.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

Access control as it relates to policies or permissions is provided based on a created model. A security policy is abstracted and can be independent of a mechanism used to protect resources. An asbstract model of a potential user, user role and/or resource is created without associating a specific individual and/or resource with a model. These abstract user models and abstract resource models can be used across applications or within disparate applications. The abstracted security policies can be selectively applied to the model. Specific users and/or resources can be associated with one or more abstract user model or abstract resource model. The models can be nested to provide configurations for larger systems.

Description

    BACKGROUND
  • Computers and computer systems are widely utilized in a multitude of environments (e.g., business, personal, and so forth). Individuals that perform functions with computers and/or computer systems (e.g., create, modify, store, delete, data entry, and so on) generally are provided access rights that allow the individual to perform various functions or use various applications but does not allow other functions to be performed and/or applications to be utilized. For example, a supervisor might be given access to modify employee records and to view employee compensation packages while a subordinate might not be given access to these types of information.
  • Administrators and other users of a computer system can utilize an infrastructure to implement and mange the various access rights. This requires access permissions to be configured for a multitude of resources and a multitude of individuals. Configuring the disparate computers, settings, and other information is not only time consuming but also requires the administrator to remember each setting. In addition, the administrator should provide similar individuals (e.g., individuals performing the same work function) with similar, if not identical, access rights. As changes are made to each individual's access rights, the original intent of such access rights might be lost as a result of errors occurring when access rights are created and/or modified, or as a result of a number of incorrect changes being made in order to create a desired access right setting, especially when initially it is not known how to manipulate the setting. Thus, users performing a similar function might have different access rights, which can potentially cause problems, especially if a user has access to something that they should not have access to.
  • Thus, access management today involves configuring low-level settings specific to resource managers and has little resemblance to the “intent” of the policy author. Such settings are difficult to maintain and hard to reconcile with the policy intent once the configuration is complete. Moreover, when the same policy is to be applied repeatedly over many domains, it requires that low-level configurations be made repeatedly. This is expensive to manage, and furthermore offers little support in the form of querying and comprehending the configured policy with regard to the intent.
  • SUMMARY
  • The following presents a simplified summary in order to provide a basic understanding of some aspects of the disclosed embodiments. This summary is not an extensive overview and is intended to neither identify key or critical elements nor delineate the scope of such embodiments. Its purpose is to present some concepts of the described embodiments in a simplified form as a prelude to the more detailed description that is presented later.
  • In accordance with one or more embodiments and corresponding disclosure thereof, various aspects are described in connection with model-based access control and permission rights. An abstract user role model and/or an abstract resource model are created that can be modular and utilized across many different applications. Abstracted security policies can be associated with each user role model, making such model and associated access rights uniform for a particular role or function. A specific individual or more than one individual can be associated with each user role model and permissions granted to such individuals can be based on the permissions granted to the user role model.
  • To the accomplishment of the foregoing and related ends, one or more embodiments comprise the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative aspects and are indicative of but a few of the various ways in which the principles of the embodiments may be employed. Other advantages and novel features will become apparent from the following detailed description when considered in conjunction with the drawings and the disclosed embodiments are intended to include all such aspects and their equivalents.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 illustrates a system that provides model-based access control.
  • FIG. 2 illustrates a system that can facilitate model-based access control.
  • FIG. 3 illustrates a view of a model for a subset of a system.
  • FIG. 4 illustrates an exemplary manual administration of assigning access rights to a multitude of users.
  • FIG. 5 illustrates an exemplary system that can be utilized with the disclosed embodiments.
  • FIG. 6 illustrates another system that can be utilized with the disclosed embodiments.
  • FIG. 7 illustrates the extensible nature of the disclosed embodiments.
  • FIG. 8 illustrates a simplified template for a family personal computer or domain.
  • FIG. 9 illustrates a method for providing a model based access control that is modular.
  • FIG. 10 illustrates a block diagram of a computer operable to execute the disclosed embodiments.
  • FIG. 11 illustrates a schematic block diagram of an exemplary computing environment operable to execute the disclosed embodiments.
  • DETAILED DESCRIPTION
  • Various embodiments are now described with reference to the drawings. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of one or more aspects. It may be evident, however, that the various embodiments may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing these embodiments.
  • As used in this application, the terms “component”, “module”, “system”, and the like are intended to refer to a computer-related entity, either hardware, a combination of hardware and software, software, or software in execution. For example, a component may be, but is not limited to being, a process running on a processor, a processor, an object, an executable, a thread of execution, a program, and/or a computer. By way of illustration, both an application running on a server and the server can be a component. One or more components may reside within a process and/or thread of execution and a component may be localized on one computer and/or distributed between two or more computers.
  • The word “exemplary” is used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs.
  • Furthermore, the one or more embodiments may be implemented as a method, apparatus, or article of manufacture using standard programming and/or engineering techniques to produce software, firmware, hardware, or any combination thereof to control a computer to implement the disclosed embodiments. The term “article of manufacture” (or alternatively, “computer program product”) as used herein is intended to encompass a computer program accessible from any computer-readable device, carrier, or media. For example, computer readable media can include but are not limited to magnetic storage devices (e.g., hard disk, floppy disk, magnetic strips . . . ), optical disks (e.g., compact disk (CD), digital versatile disk (DVD) . . . ), smart cards, and flash memory devices (e.g., card, stick). Additionally it should be appreciated that a carrier wave can be employed to carry computer-readable electronic data such as those used in transmitting and receiving electronic mail or in accessing a network such as the Internet or a local area network (LAN). Of course, those skilled in the art will recognize many modifications may be made to this configuration without departing from the scope of the disclosed embodiments.
  • Various embodiments will be presented in terms of systems that may include a number of components, modules, and the like. It is to be understood and appreciated that the various systems may include additional components, modules, etc. and/or may not include all of the components, modules, etc. discussed in connection with the figures. A combination of these approaches may also be used. The various embodiments disclosed herein can be performed on electrical devices including devices that utilize touch screen display technologies and/or mouse-and-keyboard type interfaces. Examples of such devices include computers (desktop and mobile), smart phones, personal digital assistants (PDAs), and other electronic devices both wired and wireless.
  • Referring initially to FIG. 1, illustrated is a system 100 that provides model-based access control. System 100 provides a security policy that can be abstracted from resource manager primitives and can specify a policy with higher-level abstractions that can mirror the intent of a policy author. Additionally or alternatively, system 100 can facilitate creating and applying multiple instances of a security policy across a variety of different authorization contexts. System 100 can further be configured to specify a security policy in nested models.
  • When an administrator or other person responsible for controlling access to and protecting resources configures access permissions for a variety of resources and a multitude of people, it can become difficult to configure the low-level settings directly on the resources themselves. There can also be a management problem when there are a large number of resources for which a user should have permission to access. These resources can be anything where there are applications that can be loaded (e.g., file shares, share point sites, access to traditional applications, and so on). Sometimes access control configuration is performed by modifying various settings of the underling authorization mechanisms without understanding or appreciating the ramifications of such modifications or the policy involved. Generally, a configuration cannot be copied from one context to another context but must be manually reconfigured. This may or may not result in the same configuration especially if there are errors in one or more of the configuration set points. This can lead to problems such as where there are compliance issues and other regulatory forces that expect information relating to the exact enterprise access management policies. System 100 can be configured to maintain the policies and preserve such policies to a group of users that have substantially the same access rights.
  • In further detail, system 100 includes an abstraction component 102 that can be configured to abstract from underlying implementations of various applications and parameters a security policy to protect resources. Based in part on the security policy, abstraction component 102 can build one or more abstract user models, one or more abstract resource models, or both abstract user models and abstract resource models. The abstract user model might be an abstract of a particular user role or another means of identifying similar users that should have access to similar resources to create a model (e.g., manufacturing supervisor, bank teller, toll-road booth operator, librarian, and so forth). The abstract user model might be a model of an organization of resources and users. For example, it can be a hierarchy of resources (or scopes) related to a hierarchy of users in a group.
  • Abstraction component 102 can be independent of the type of mechanism or configuration actually used to protect resources (e.g., programs, applications, formats, files, and so forth) and/or the user the actually accesses the resources. For example, regardless of the mechanism utilized, persons that need access to financial documents should be allowed access to those financial documents. Through utilization of abstraction component 102, an administrator or other person responsible for persisting a security policy does not have to manually perform low-level configuration for each user and/or resource but may modify the user model and/or the resource model.
  • Additionally, abstraction component 102 can be configured to help preserve the policy intent. Since the security policy is abstracted from the resource management primitive, an abstraction can be provided that can allow policy authors to specify one or more policies in a manner that is closer to the actual intent (e.g., such as a codified intent) rather than the underlying implementation that protects the resources.
  • Additionally, abstraction component 102 can be configured to provide repeatability of the abstract model configuration. In such a manner, the abstract models (e.g., user, resource) can be modular and can be applied across different applications or through various and disparate roles and functions. For example, a national bank might have branches and would like to ensure that each branch has the same kind of configuration (e.g., a manager has more permissions than an assistant manager and a teller has low-level permissions). These resources, roles and associated permissions are the same for each branch, although a different person is performing the corresponding function (e.g., manager, teller). Thus, repeatability of the permission configuration can be persisted through all the branches.
  • An assignment component 104 can be configured to identify or designate one or more specific users to an abstract user model or to more than one abstract user model For example, a role can be a bank teller, a bank supervisor, a machine shop foreman, a receptionist, a child, an adult, and so forth. Assignment component 104 can be configured to maintain information relating to why a user role or group of user roles has access to certain permissions and/or can translate an abstract model into concrete terms thereby assigning permissions to the users for use of the concrete resources. Assignment component 104 can further be configured to assign one or more resources to the abstract resource models.
  • Also included in system is an authorization component 106 that can be configured to set permissions (e.g., name specific users/groups with their rights) on the concrete resources based in part on the model. At substantially the same time as the user is identified and placed into the desired group or groups, the appropriate permissions and memberships can be automatically created as a consequence of identifying the user with a particular user model.
  • Additionally, authorization component 106 can be configured to maintain information relating to why a specific individual has access to various permissions. If a user performs different roles, the user can be given permissions relating to each of those roles, depending on the task being performed. For example, if the user is a receptionist but also fills in when the payroll clerk is out, this user might have both permissions (receptionist and payroll clerk). However, if the user is not covering for the payroll clerk, the permissions relating to payroll functions can be disabled and only the receptionist permissions are allowed during those times.
  • FIG. 2 illustrates a system 200 that can facilitate model-based access control. System 200 can be configured to simplify an authorization policy and implementation of that authorization policy. There can be a multitude of security knobs (e.g., privileges, resource names, and so one) on each computer. In a large installation there can be hundreds or thousands of computers, which would make it very difficult, if not impossible, to manually configure and monitor these settings. System 200 can be configured to conceal the complexity of the underlying implementation from users and administrators. In some embodiments, users and administrators can access the underlying implementation if desired.
  • System 200 can mitigate repetitive manual effort by an administrator when complex policies apply to multiple objects. System 200 can also retain information relating to a policy, making it possible to determine the parameters of the policy even if there has been a long history of incremental changes.
  • System 200 includes an abstraction component 202 that can be configured to abstract or conceptualize from underlying implementations of various applications and parameters a security policy to protect resources and to create abstract user models, abstract resource models, or both models. Also included is an assignment component 204 that can be configured to correlate the abstracted security policies and a user model with a specific user or users and a resource model with a specific resource or resources. Also included in system 200 is a permission component 206 that can be configured automatically set permissions on the specific resources based on the model.
  • Abstraction component 202 can include a resource module 208 and a function module 210 that independently or in conjunction acquire a model of the various resources, users and permissions as viewed by an administrator. Resource module 208 can include information relating to the various resources available and create an abstract resource model based on such available resources. Function module 210 can include information relating to the potential roles (e.g., user) through which people can have access (e.g., human resource manager, stock clerk, and so forth). Abstraction component 202 can (e.g., through resource module 208 and/or function module 208) provide a mechanism or vocabulary that allows the model to be specified in abstract terms.
  • For example, there can be an abstract resource, such as the Emerald project and there are project facilitators that should have various accesses because of their role as facilitations. Thus, abstraction component 202 does not focus on specific resources being protected but on a conceptual organization of these resources and a conceptual organization of users and the kinds of permissions for each user on the resources.
  • Assignment component 204 can include a scope module 212 and a role module 214. The scope module 212 can include or can access a collection of resources and a subset of these resources can be assigned to one or more abstract resource models 216, labeled Resource1 through ResourceK, where K is an integer. Also included is a role module 214 that can access or maintain a collection of principals that can be assigned to one or more abstract user models. These principles can be users 218 or a user roles, labeled User1 through UserN, where N is an integer. The model created by system 200 can be populated with specific users and/or resources (e.g., disk files, databases, other things specified in the model).
  • It should be understood that there are other ways by which a model can be represented and roles and scopes are just one example of representing the model. Thus, no matter the mechanism or vocabulary used, the resources and user groups or roles can be defined based on the relationship they have with each other. The permissions can be specified based on those primitives instead of the actual physical resource and real users.
  • There can be a first person abstracting the system, another person instantiating the abstracted or conceptual organization to specific resources and another person adding users to the appropriate tools. Therefore, these resources can be conveyed in an independent manner from the intent and there can be complicated relations that are instantiated in different contexts.
  • Additionally, the modular concepts can be configured to create nested models. Security policies can be specified in these nested modules. A model can be specified for access control and that model can be used as a component in building models for bigger systems.
  • Since the roles are generic or abstract, models can be used in other models or sub-models and used in a modular manner. For example, there can be templates for each bank branch and a head branch in each city. There can be a model specifying who is allowed to designate a back-up manager. However, the branch itself is not modeled or invented to describe the branch. Instead, a branch model already built can be reused and combined with the back-up manager module.
  • FIG. 3 illustrates a view of a model 300 for a subset of a system. This model view 300 can be from the perspective of an administrator, a user and/or entity that is responsible for assigning specific individuals to specific roles or accesses (e.g., security accesses). Illustrated are two project repositories 302 and 304, which can represent two projects being worked on concurrently within an organization. In some embodiments, the repositories 302, 304 can represent other items, jobs, tasks, and so forth that have a multitude of users that should be assigned different access rights as it relates to the item, jobs, tasks, and so on. These repositories 302, 304 can be scopes for resources, one for the first project 302 and one for the second project 304.
  • Each project 302, 304 can have various roles or a logical class of users assigned to perform various functions at it relates to the project 302, 304. For example, the first project 302 has two roles, which can be developers 306 and project managers 308. In this simple example, the second project 304 also has two similar roles, developers 306 and project managers 308. However, it should be understood that there can be a multitude of roles, and two are illustrated for purposes of simplicity. Additionally or alternatively, more than one user can be assigned to each role and the roles can be utilized across repositories 302, 304, as represented by roles 306 and 308. When deploying a project repository 302, 304, a group for each role can be created. This group can include users who are performing the functions of that role for the project. Thus, a scope is a collection of resources and a role is a collection of principals.
  • In this simple illustration, an administrator (or other responsible party) places a user 310 into the desired group or groups and the appropriate permissions and memberships are automatically created as a consequence of identifying the user 308 with a particular role 306, 308. That is to say, for each repository 302, 304, a multitude of roles 306 and 308 can be assigned, which may be different roles and/or a different number of roles than those illustrated and described. One or more individuals are assigned to each role and the corresponding access rights for that role are applied to that user. Such assignment can be based on a unique identifier associated with that individual, such as a user id, a user password, or based on other identifiers. As illustrated, the user 310 is assigned to a developer role 306 in the first repository 302 and a project manager 308 in the second repository 304.
  • FIG. 4 illustrates an exemplary manual administration 400 of assigning access rights to a multitude of users. This example is similar to the above example and includes a first project 402 and a second project 404. A developer 406 and a project manager 408 are identified or associated with each project 402, 404. A user 410 might be responsible for the role of developer 408 in the first project and the role of project manager 406 in the second project 404.
  • However, when manually assigning roles 406, 408 to the associated projects 402 and 404 (e.g., without utilizing the disclosed embodiments), the roles 406, 408 cannot be utilized across the applications 402, 404. Therefore, further manual action is required to assign the roles and individuals to the projects 402, 404. In the following discussion, only one role will be described for purposes of simplicity. For manual administration, a server 412 is utilized for each role. Each user or group of users 406, 408 would be manually associated with one or more operations, such as an edit permission 414 and a read permission 416, for example. Each permission 414, 416 is manually associated with a user or group of users 406, 408, and for each role (e.g., developer 406 and project manager 408) the permission would have to be manually configured a multitude of times.
  • Manual configuration can lead to errors since there are so many configurations that need to be modified manually. Thus, the disclosed embodiments can mitigate repetitive manual effort of the administrator by providing modular roles that can be utilized across multiple projects. In addition, the disclosed embodiments can make it simple to determine a policy and its purpose after a long history of incremental changes (e.g., changes to access rights).
  • With reference now to FIG. 5, illustrated is an exemplary system 500 that can be utilized with the disclosed embodiments. The system can include a template, illustrated by dotted line 502, and an instance, illustrated by dotted line 504. The template 502 and its instance 504 can be referred to as a leaf scope that can correspond to an instance of a service and a subset of its resources. In addition to coding of the service, the scope template 502 is created that can define the roles for the service. A role can determine the permissions that a user can have when performing the functions of that role. The roles of FIG. 5 are illustrated as contributor 506 and reader or viewer 508. Each role 506, 508 can be tailored to enable a user or group of users to perform a task (e.g., bank teller, HR benefits clerk, contributor or viewer of documents, and so forth). In the example, the contributor 506 can edit documents and, as illustrated, can also be a viewer 508, which is an example of role nesting.
  • The predefined roles 506, 508 can help to determine a combination of permissions that should be tested to make sure they correctly enable the desired tasks and conform to an authorization policy within the scope. The scope template 502 is instantiated to create a scope. The same template 502 can be utilized to create many scopes, as illustrated in FIG. 5. In this illustration, the contributor 506 and viewer 508 roles have the same permissions for the resource in the scope that the corresponding role template had in the template. A user 510 is illustrated as being placed into the viewer role. Each scope can precisely mirror the scope template and has the resources, roles, and permissions defined in the template 502.
  • FIG. 6 illustrates another system 600 that can be utilized with the disclosed embodiments. Various program applications can be utilized to create higher-level templates. System 600 includes a project repository 602 that can include at least two subparts, illustrated as specifications 604 and sources 606. A project manager role 608 can be assigned to a contributor role 610 in the specification server 604 and a viewer or reader role 612 in the source server 606. A part's role can include the interface that it exports to containing scopes. The smallest parts are actual services and include composite parts, such as project contained subparts. These can be nested as deeply as needed to provide the various roles and sub-roles. Since this can be defined for all project repositories, an administrator simply instantiates the model without needing to understand all the details involved. Two instances of this project template would appear similar to the system illustrated in FIG. 3. Thus, smaller parts or sub-roles can be utilized to create larger roles without needing the multiple manual configurations described above.
  • FIG. 7 illustrates the extensible nature of the disclosed embodiments. Illustrated is a template 700 for a bank teller application to demonstrate the extensible policy in a business application. A low role 702 and a high role 704 can be applied to accounts 706 that a bank services. Each role 702, 704 can have a corresponding permission to transfer amounts, such as $1000 for the low role 702 and $100,000 for the high role.
  • In an outer branch application a teller role 708 and a manger role 710 can be assigned to the low accounts and the high accounts, respectively. An administrator or other user responsible for assigning the roles can add to the application logic the amount value for the current transaction and a policy system can evaluate the express. Thus, the roles are modular and the policy can be updated through the model-based access control without changing the application code.
  • FIG. 8 illustrates a simplified template for a family personal computer or domain. Module-based access control can be utilized for enterprise applications and it can also make authorization less complicated for small businesses and consumers. It should be noted that FIG. 8 illustrates only a sub-portion of a family domain for purposes of simplicity.
  • A desktop for a single machine might have several predefined roles (e.g., abstract user models), such as an adult 802, a child 804, and a friend 806. Also included can be several predefined scopes, such as household 808, community 810, and a user scope template 812. These scopes 808, 810, 812 can be built from the same basic scope template. This scope template appears four times in the figure. Adult 802 can be an owner 814 and child 804 can be a contributor on the household scope 808 and the community scope 810. Each user can have a buddy list and buddies 816 are friends for the castle 818 and in addition are readers 820 on the user's shared sub-scope. It should be noted that this is a simple example and a small business can have several more parts.
  • FIG. 9 illustrates a method 900 for providing a model based access control that is modular. While, for purposes of simplicity of explanation, the methodologies are shown and described as a series of blocks, it is to be understood and appreciated that the disclosed embodiments are not limited by the number or order of blocks, as some blocks may occur in different orders and/or concurrently with other blocks from what is depicted and described herein. Moreover, not all illustrated blocks may be required to implement the methodologies described hereinafter. It is to be appreciated that the functionality associated with the blocks may be implemented by software, hardware, a combination thereof or any other suitable means (e.g. device, system, process, component). Additionally, it should be further appreciated that the methodologies disclosed hereinafter and throughout this specification are capable of being stored on an article of manufacture to facilitate transporting and transferring such methodologies to various devices. Those skilled in the art will understand and appreciate that a methodology could alternatively be represented as a series of interrelated states or events, such as in a state diagram.
  • At 902, an abstract security policy is created. This security policy can be created in such a manner that it is independent from the type of mechanism or configuration actually used to protect resources (e.g., programs, applications, formats, files, and so forth). An abstract user model and/or an abstract resource model can be created or developed at 904. These models are not specific to a particular user and/or a particular resource but relates to different resources, roles or functions and the access control that should be authorized for various resources, users, or user roles.
  • At 906, specific users and/or specific resources are associated with one or more abstract user models or abstract resource models. For example, a user model might be for a supervisor that should have securities policies that relates to a subordinate's functions. In such a manner, the supervisor should be given the abstracted security policy for the supervisor and the abstracted security policy for the subordinate. In addition more than one user model can be associated with more than one abstract security policy by nesting the models in such a manner that the model can be specified for access control and that model can be used as a component in building models for bigger systems. The association, at 906, also allows for modularity in that the abstract user model and associated abstract security policy or abstract resource model can be used across applications or in different application.
  • Permissions (e.g., name specific users/groups with their rights) can be automatically set on specific resources based on the model, at 1008. In some embodiments more than one individual is associated with either or both the abstracted user model and the abstracted security policy.
  • Referring now to FIG. 10, there is illustrated a block diagram of a computer operable to execute the disclosed architecture. In order to provide additional context for various aspects disclosed herein, FIG. 10 and the following discussion are intended to provide a brief, general description of a suitable computing environment 1000 in which the various aspects can be implemented. While the one or more embodiments have been described above in the general context of computer-executable instructions that may run on one or more computers, those skilled in the art will recognize that the various embodiments also can be implemented in combination with other program modules and/or as a combination of hardware and software.
  • Generally, program modules include routines, programs, components, data structures, etc., that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the inventive methods can be practiced with other computer system configurations, including single-processor or multiprocessor computer systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices, microprocessor-based or programmable consumer electronics, and the like, each of which can be operatively coupled to one or more associated devices.
  • The illustrated aspects may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules can be located in both local and remote memory storage devices.
  • A computer typically includes a variety of computer-readable media. Computer-readable media can be any available media that can be accessed by the computer and includes both volatile and nonvolatile media, removable and non-removable media. By way of example, and not limitation, computer-readable media can comprise computer storage media and communication media. Computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital video disk (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by the computer.
  • Communication media typically embodies computer-readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism, and includes any information delivery media. The term “modulated data signal” means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. By way of example, and not limitation, communication media includes wired media such as a wired network or direct-wired connection, and wireless media such as acoustic, RF, infrared and other wireless media. Combinations of the any of the above should also be included within the scope of computer-readable media.
  • With reference again to FIG. 10, the exemplary environment 1000 for implementing various aspects includes a computer 1002, the computer 1002 including a processing unit 1004, a system memory 1006 and a system bus 1008. The system bus 1008 couples system components including, but not limited to, the system memory 1006 to the processing unit 1004. The processing unit 1004 can be any of various commercially available processors. Dual microprocessors and other multi-processor architectures may also be employed as the processing unit 1004.
  • The system bus 1008 can be any of several types of bus structure that may further interconnect to a memory bus (with or without a memory controller), a peripheral bus, and a local bus using any of a variety of commercially available bus architectures. The system memory 1006 includes read-only memory (ROM) 1010 and random access memory (RAM) 1012. A basic input/output system (BIOS) is stored in a non-volatile memory 1010 such as ROM, EPROM, EEPROM, which BIOS contains the basic routines that help to transfer information between elements within the computer 1002, such as during start-up. The RAM 1012 can also include a high-speed RAM such as static RAM for caching data.
  • The computer 1002 further includes an internal hard disk drive (HDD) 1014 (e.g., EIDE, SATA), which internal hard disk drive 1014 may also be configured for external use in a suitable chassis (not shown), a magnetic floppy disk drive (FDD) 1016, (e.g., to read from or write to a removable diskette 1018) and an optical disk drive 1020, (e.g., reading a CD-ROM disk 1022 or, to read from or write to other high capacity optical media such as the DVD). The hard disk drive 1014, magnetic disk drive 1016 and optical disk drive 1020 can be connected to the system bus 1008 by a hard disk drive interface 1024, a magnetic disk drive interface 1026 and an optical drive interface 1028, respectively. The interface 1024 for external drive implementations includes at least one or both of Universal Serial Bus (USB) and IEEE 13104 interface technologies. Other external drive connection technologies are within contemplation of the one or more embodiments.
  • The drives and their associated computer-readable media provide nonvolatile storage of data, data structures, computer-executable instructions, and so forth. For the computer 1002, the drives and media accommodate the storage of any data in a suitable digital format. Although the description of computer-readable media above refers to a HDD, a removable magnetic diskette, and a removable optical media such as a CD or DVD, it should be appreciated by those skilled in the art that other types of media which are readable by a computer, such as zip drives, magnetic cassettes, flash memory cards, cartridges, and the like, may also be used in the exemplary operating environment, and further, that any such media may contain computer-executable instructions for performing the methods disclosed herein.
  • A number of program modules can be stored in the drives and RAM 1012, including an operating system 1030, one or more application programs 1032, other program modules 1034 and program data 1036. All or portions of the operating system, applications, modules, and/or data can also be cached in the RAM 1012. It is appreciated that the various embodiments can be implemented with various commercially available operating systems or combinations of operating systems.
  • A user can enter commands and information into the computer 1002 through one or more wired/wireless input devices, e.g., a keyboard 1038 and a pointing device, such as a mouse 1040. Other input devices (not shown) may include a microphone, an IR remote control, a joystick, a game pad, a stylus pen, touch screen, or the like. These and other input devices are often connected to the processing unit 1004 through an input device interface 1042 that is coupled to the system bus 1008, but can be connected by other interfaces, such as a parallel port, an IEEE 1394 serial port, a game port, a USB port, an IR interface, etc.
  • A monitor 1044 or other type of display device is also connected to the system bus 1008 through an interface, such as a video adapter 1046. In addition to the monitor 1044, a computer typically includes other peripheral output devices (not shown), such as speakers, printers, etc.
  • The computer 1002 may operate in a networked environment using logical connections through wired and/or wireless communications to one or more remote computers, such as a remote computer(s) 1048. The remote computer(s) 1048 can be a workstation, a server computer, a router, a personal computer, portable computer, microprocessor-based entertainment appliance, a peer device or other common network node, and typically includes many or all of the elements described relative to the computer 1002, although, for purposes of brevity, only a memory/storage device 1050 is illustrated. The logical connections depicted include wired/wireless connectivity to a local area network (LAN) 1052 and/or larger networks, e.g., a wide area network (WAN) 1054. Such LAN and WAN networking environments are commonplace in offices and companies, and facilitate enterprise-wide computer networks, such as intranets, all of which may connect to a global communications network, e.g., the Internet.
  • When used in a LAN networking environment, the computer 1002 is connected to the local network 1052 through a wired and/or wireless communication network interface or adapter 1056. The adaptor 1056 may facilitate wired or wireless communication to the LAN 1052, which may also include a wireless access point disposed thereon for communicating with the wireless adaptor 1056.
  • When used in a WAN networking environment, the computer 1002 can include a modem 1058, or is connected to a communications server on the WAN 1054, or has other means for establishing communications over the WAN 1054, such as by way of the Internet. The modem 1058, which can be internal or external and a wired or wireless device, is connected to the system bus 1008 through the serial port interface 1042. In a networked environment, program modules depicted relative to the computer 1002, or portions thereof, can be stored in the remote memory/storage device 1050. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers can be used.
  • The computer 1002 is operable to communicate with any wireless devices or entities operatively disposed in wireless communication, e.g., a printer, scanner, desktop and/or portable computer, portable data assistant, communications satellite, any piece of equipment or location associated with a wirelessly detectable tag (e.g., a kiosk, news stand, restroom), and telephone. This includes at least Wi-Fi and Bluetooth™ wireless technologies. Thus, the communication can be a predefined structure as with a conventional network or simply an ad hoc communication between at least two devices.
  • Wi-Fi, or Wireless Fidelity, allows connection to the Internet from home, in a hotel room, or at work, without wires. Wi-Fi is a wireless technology similar to that used in a cell phone that enables such devices, e.g., computers, to send and receive data indoors and out; anywhere within the range of a base station. Wi-Fi networks use radio technologies called IEEE 802.11 (a, b, g, etc.) to provide secure, reliable, fast wireless connectivity. A Wi-Fi network can be used to connect computers to each other, to the Internet, and to wired networks (which use IEEE 802.3 or Ethernet). Wi-Fi networks operate in the unlicensed 2.4 and 5 GHz radio bands, at an 11 Mbps (802.11a) or 54 Mbps (802.11b) data rate, for example, or with products that contain both bands (dual band), so the networks can provide real-world performance similar to the basic 10BaseT wired Ethernet networks used in many offices.
  • Referring now to FIG. 11, there is illustrated a schematic block diagram of an exemplary computing environment 1100 in accordance with the various embodiments. The system 1100 includes one or more client(s) 1102. The client(s) 1102 can be hardware and/or software (e.g., threads, processes, computing devices). The client(s) 1102 can house cookie(s) and/or associated contextual information by employing the various embodiments, for example.
  • The system 1100 also includes one or more server(s) 1104. The server(s) 1104 can also be hardware and/or software (e.g., threads, processes, computing devices). The servers 1104 can house threads to perform transformations by employing the various embodiments, for example. One possible communication between a client 1102 and a server 1104 can be in the form of a data packet adapted to be transmitted between two or more computer processes. The data packet may include a cookie and/or associated contextual information, for example. The system 1100 includes a communication framework 1106 (e.g., a global communication network such as the Internet) that can be employed to facilitate communications between the client(s) 1102 and the server(s) 1104.
  • Communications can be facilitated through a wired (including optical fiber) and/or wireless technology. The client(s) 1102 are operatively connected to one or more client data store(s) 1108 that can be employed to store information local to the client(s) 1102 (e.g., cookie(s) and/or associated contextual information). Similarly, the server(s) 1104 are operatively connected to one or more server data store(s) 1110 that can be employed to store information local to the servers 1104.
  • What has been described above includes examples of the various embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the various embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations are possible. Accordingly, the subject specification intended to embrace all such alterations, modifications, and variations that fall within the spirit and scope of the appended claims.
  • In particular and in regard to the various functions performed by the above described components, devices, circuits, systems and the like, the terms (including a reference to a “means”) used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (e.g., a functional equivalent), even though not structurally equivalent to the disclosed structure, which performs the function in the herein illustrated exemplary aspects. In this regard, it will also be recognized that the various aspects include a system as well as a computer-readable medium having computer-executable instructions for performing the acts and/or events of the various methods.
  • In addition, while a particular feature may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for any given or particular application. To the extent that the terms “includes,” and “including” and variants thereof are used in either the detailed description or the claims, these terms are intended to be inclusive in a manner similar to the term “comprising.” Furthermore, the term “or” as used in either the detailed description of the claims is meant to be a “non-exclusive or”.

Claims (20)

1. A system that facilitates model-based access control, comprising:
an abstraction component (102, 202) that builds at least one abstract user model or abstract resource model or both;
an assignment component (104, 204) that correlates at least one specific user to the abstract user model and at least one specific resource to the abstract resource model; and
a permission component (106, 206) that automatically sets at least one permission on the specific resource based in part on the abstract resource model.
2. The system of claim 1, the abstraction component is independent of a mechanism used to protect resources.
3. The system of claim 1, the abstraction component preserves a policy intent.
4. The system of claim 1, the assignment component maintains information relating to a user role and its access permissions.
5. The system of claim 1, the abstraction component provides repeatability of a user role configuration.
6. The system of claim 1, the abstract user model and abstract resource model are modular and applied across different applications.
7. The system of claim 1, the permission component translates the abstract user model and abstract resource model into concrete terms.
8. The system of claim 1, the abstraction component provides a mechanism to specify the model in abstract terms.
9. The system of claim 1, a security policy is specified in a nested model.
10. The system of claim 9, the nested model allows the abstract user model and the abstract resource model to be specified for access control and used as a component in building models for larger systems.
11. The system of claim 1, the assignment component recognizes the specific user based on a unique identifier.
12. The system of claim 1, the permission component automatically creates an appropriate permission and membership when the user is identified with the model.
13. A method for providing a model based access control, comprising:
creating an abstract user model and an abstract resource model;
associating at least one specific user with the abstract user model;
associating at least one specific resource with the abstract resource model; and
setting at least one permission on the specific resource based in part on the abstract user role.
14. The method of claim 13, creating an abstract user model and an abstract resource model further comprising creating the models to be independent from a type of mechanism used to protect resources.
15. The method of claim 13, further setting at least one permission on the specific resource based in part on the abstract user role is automatic.
16. The method of claim 13, further comprising nesting the associated abstract user model.
17. The method of claim 13, creating an abstract user model and an abstract resource model provides modularity.
18. The method of claim 13, further comprising associating two or more individuals with the abstract user model and the abstract resource model.
19. A computer executable system that provides access control, comprising:
means for creating an abstract user model and an abstract resource model;
means for associating at least one user to the abstract user model and at least one resource to the abstract resource module.
20. The system of claim 19, further comprising means for applyingpermission on the at least one resource.
US11/694,014 2007-03-30 2007-03-30 Model-based access control Abandoned US20080244736A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US11/694,014 US20080244736A1 (en) 2007-03-30 2007-03-30 Model-based access control
CN200880010688A CN101652767A (en) 2007-03-30 2008-02-28 Model-based access control
EP08743601A EP2132642A4 (en) 2007-03-30 2008-02-28 Model-based access control
PCT/US2008/055299 WO2008121471A1 (en) 2007-03-30 2008-02-28 Model-based access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11/694,014 US20080244736A1 (en) 2007-03-30 2007-03-30 Model-based access control

Publications (1)

Publication Number Publication Date
US20080244736A1 true US20080244736A1 (en) 2008-10-02

Family

ID=39796667

Family Applications (1)

Application Number Title Priority Date Filing Date
US11/694,014 Abandoned US20080244736A1 (en) 2007-03-30 2007-03-30 Model-based access control

Country Status (4)

Country Link
US (1) US20080244736A1 (en)
EP (1) EP2132642A4 (en)
CN (1) CN101652767A (en)
WO (1) WO2008121471A1 (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090007260A1 (en) * 2007-06-29 2009-01-01 Microsoft Corporation Security Synchronization Services
US20090313079A1 (en) * 2008-06-12 2009-12-17 Microsoft Corporation Managing access rights using projects
US20090313436A1 (en) * 2008-06-12 2009-12-17 Microsoft Corporation Cache regions
US20090313438A1 (en) * 2008-06-12 2009-12-17 Microsoft Corporation Distributed cache arrangement
US20090328155A1 (en) * 2008-05-12 2009-12-31 George Madathilparamgil George Master device for controlling application security environments
US20100162389A1 (en) * 2008-12-19 2010-06-24 Tomas Burger Providing permission to perform action on an electronic ticket
US20100229231A1 (en) * 2009-03-04 2010-09-09 Kanako Iwai License management system, license management method and license management program
US20100315198A1 (en) * 2008-01-24 2010-12-16 Siemens Aktiengesellschaft Field device and method of operation thereof
US20110078759A1 (en) * 2009-09-30 2011-03-31 International Business Machines Corporation Method and System For Automating Security Policy Definition Based On Recorded Transactions
US20110191485A1 (en) * 2010-02-03 2011-08-04 Os Nexus, Inc. Role based access control utilizing scoped permissions
US20120166983A1 (en) * 2010-12-28 2012-06-28 Hilmar Demant Integrated metadata and nested authorizations in a user interface framework
WO2013176968A1 (en) * 2012-05-25 2013-11-28 Microsoft Corporation Managing distributed operating system physical resources
US9503482B1 (en) 2015-11-05 2016-11-22 International Business Machines Corporation Providing a common security policy for a heterogeneous computer architecture environment
US20180144150A1 (en) * 2016-11-22 2018-05-24 Sap Se Unified instance authorization based on attributes and hierarchy assignment
US20190340554A1 (en) * 2018-05-07 2019-11-07 Microsoft Technology Licensing, Llc Engagement levels and roles in projects
DE102013222384B4 (en) 2012-11-19 2023-09-14 International Business Machines Corporation Context-based security screening for access to data

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9473504B2 (en) * 2014-10-15 2016-10-18 Ayla Networks, Inc. Role based access control for connected consumer devices
CN105740725B (en) * 2016-01-29 2018-08-28 北京大学 A kind of document protection method and system
EP3851954A4 (en) * 2018-11-01 2022-06-22 Hitachi Astemo, Ltd. Software management device

Citations (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5315657A (en) * 1990-09-28 1994-05-24 Digital Equipment Corporation Compound principals in access control lists
US5991877A (en) * 1997-04-03 1999-11-23 Lockheed Martin Corporation Object-oriented trusted application framework
US6081838A (en) * 1997-03-05 2000-06-27 Kokusai Denshin Denwa Co., Ltd. Method for access control on MIB in OSI management
US20020026592A1 (en) * 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
US6434607B1 (en) * 1997-06-19 2002-08-13 International Business Machines Corporation Web server providing role-based multi-level security
US6453353B1 (en) * 1998-07-10 2002-09-17 Entrust, Inc. Role-based navigation of information resources
US20020178119A1 (en) * 2001-05-24 2002-11-28 International Business Machines Corporation Method and system for a role-based access control model with active roles
US20020188729A1 (en) * 2001-06-12 2002-12-12 Rui Zhou Collaboration control system and method
US20030061482A1 (en) * 2001-08-23 2003-03-27 Efunds Corporation Software security control system and method
US6574736B1 (en) * 1998-11-30 2003-06-03 Microsoft Corporation Composable roles
US20030177376A1 (en) * 2002-01-30 2003-09-18 Core Sdi, Inc. Framework for maintaining information security in computer networks
US20030229812A1 (en) * 2002-06-05 2003-12-11 Cristina Buchholz Authorization mechanism
US20040162905A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for role and resource policy management optimization
US20040243835A1 (en) * 2003-05-28 2004-12-02 Andreas Terzis Multilayer access control security system
US20050097166A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050132220A1 (en) * 2003-12-10 2005-06-16 International Business Machines Corporation Fine-grained authorization by authorization table associated with a resource
US6950825B2 (en) * 2002-05-30 2005-09-27 International Business Machines Corporation Fine grained role-based access to system resources
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050262362A1 (en) * 2003-10-10 2005-11-24 Bea Systems, Inc. Distributed security system policies
US20060015416A1 (en) * 2001-03-23 2006-01-19 Restaurant Services, Inc. System, method and computer program product for utilizing market demand information for generating revenue
US7013332B2 (en) * 2001-01-09 2006-03-14 Microsoft Corporation Distributed policy model for access control
US20060089932A1 (en) * 2004-10-22 2006-04-27 International Business Machines Corporation Role-based access control system, method and computer program product
US20060230282A1 (en) * 2005-04-06 2006-10-12 Hausler Oliver M Dynamically managing access permissions
US7124192B2 (en) * 2001-08-30 2006-10-17 International Business Machines Corporation Role-permission model for security policy administration and enforcement
US20060248083A1 (en) * 2004-12-30 2006-11-02 Oracle International Corporation Mandatory access control base
US20060253420A1 (en) * 2005-05-06 2006-11-09 International Business Machines Corp. Method and system for creating a protected object namespace from a WSDL resource description
US20070043716A1 (en) * 2005-08-18 2007-02-22 Blewer Ronnie G Methods, systems and computer program products for changing objects in a directory system
US20070240157A1 (en) * 2006-04-10 2007-10-11 Nokia Corporation Method, apparatus, mobile terminal and computer program product for safe application termination in a virtual machine
US20080034438A1 (en) * 2006-08-07 2008-02-07 International Business Machines Corporation Multiple hierarchy access control method
US20080120302A1 (en) * 2006-11-17 2008-05-22 Thompson Timothy J Resource level role based access control for storage management
US7827615B1 (en) * 2007-01-23 2010-11-02 Sprint Communications Company L.P. Hybrid role-based discretionary access control

Patent Citations (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5315657A (en) * 1990-09-28 1994-05-24 Digital Equipment Corporation Compound principals in access control lists
US6081838A (en) * 1997-03-05 2000-06-27 Kokusai Denshin Denwa Co., Ltd. Method for access control on MIB in OSI management
US5991877A (en) * 1997-04-03 1999-11-23 Lockheed Martin Corporation Object-oriented trusted application framework
US6434607B1 (en) * 1997-06-19 2002-08-13 International Business Machines Corporation Web server providing role-based multi-level security
US6453353B1 (en) * 1998-07-10 2002-09-17 Entrust, Inc. Role-based navigation of information resources
US6574736B1 (en) * 1998-11-30 2003-06-03 Microsoft Corporation Composable roles
US20020026592A1 (en) * 2000-06-16 2002-02-28 Vdg, Inc. Method for automatic permission management in role-based access control systems
US7013332B2 (en) * 2001-01-09 2006-03-14 Microsoft Corporation Distributed policy model for access control
US20060015416A1 (en) * 2001-03-23 2006-01-19 Restaurant Services, Inc. System, method and computer program product for utilizing market demand information for generating revenue
US20020178119A1 (en) * 2001-05-24 2002-11-28 International Business Machines Corporation Method and system for a role-based access control model with active roles
US20020188729A1 (en) * 2001-06-12 2002-12-12 Rui Zhou Collaboration control system and method
US20030061482A1 (en) * 2001-08-23 2003-03-27 Efunds Corporation Software security control system and method
US7124192B2 (en) * 2001-08-30 2006-10-17 International Business Machines Corporation Role-permission model for security policy administration and enforcement
US20030177376A1 (en) * 2002-01-30 2003-09-18 Core Sdi, Inc. Framework for maintaining information security in computer networks
US6950825B2 (en) * 2002-05-30 2005-09-27 International Business Machines Corporation Fine grained role-based access to system resources
US20030229812A1 (en) * 2002-06-05 2003-12-11 Cristina Buchholz Authorization mechanism
US20040162905A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for role and resource policy management optimization
US20040243835A1 (en) * 2003-05-28 2004-12-02 Andreas Terzis Multilayer access control security system
US20050097166A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy inheritance through nested groups
US20050262362A1 (en) * 2003-10-10 2005-11-24 Bea Systems, Inc. Distributed security system policies
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050132220A1 (en) * 2003-12-10 2005-06-16 International Business Machines Corporation Fine-grained authorization by authorization table associated with a resource
US20060089932A1 (en) * 2004-10-22 2006-04-27 International Business Machines Corporation Role-based access control system, method and computer program product
US20060248083A1 (en) * 2004-12-30 2006-11-02 Oracle International Corporation Mandatory access control base
US20060230282A1 (en) * 2005-04-06 2006-10-12 Hausler Oliver M Dynamically managing access permissions
US20060253420A1 (en) * 2005-05-06 2006-11-09 International Business Machines Corp. Method and system for creating a protected object namespace from a WSDL resource description
US20070043716A1 (en) * 2005-08-18 2007-02-22 Blewer Ronnie G Methods, systems and computer program products for changing objects in a directory system
US20070240157A1 (en) * 2006-04-10 2007-10-11 Nokia Corporation Method, apparatus, mobile terminal and computer program product for safe application termination in a virtual machine
US20080034438A1 (en) * 2006-08-07 2008-02-07 International Business Machines Corporation Multiple hierarchy access control method
US20080120302A1 (en) * 2006-11-17 2008-05-22 Thompson Timothy J Resource level role based access control for storage management
US7827615B1 (en) * 2007-01-23 2010-11-02 Sprint Communications Company L.P. Hybrid role-based discretionary access control

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8032935B2 (en) * 2007-06-29 2011-10-04 Microsoft Corporation Security synchronization services
US20090007260A1 (en) * 2007-06-29 2009-01-01 Microsoft Corporation Security Synchronization Services
US20100315198A1 (en) * 2008-01-24 2010-12-16 Siemens Aktiengesellschaft Field device and method of operation thereof
US10372924B2 (en) * 2008-05-12 2019-08-06 George Madathilparambil George Master device for controlling application security environments
US20090328155A1 (en) * 2008-05-12 2009-12-31 George Madathilparamgil George Master device for controlling application security environments
US20090313438A1 (en) * 2008-06-12 2009-12-17 Microsoft Corporation Distributed cache arrangement
US8943271B2 (en) 2008-06-12 2015-01-27 Microsoft Corporation Distributed cache arrangement
US20090313436A1 (en) * 2008-06-12 2009-12-17 Microsoft Corporation Cache regions
US9952971B2 (en) 2008-06-12 2018-04-24 Microsoft Technology Licensing, Llc Distributed cache arrangement
US20090313079A1 (en) * 2008-06-12 2009-12-17 Microsoft Corporation Managing access rights using projects
US8176256B2 (en) 2008-06-12 2012-05-08 Microsoft Corporation Cache regions
US20100162389A1 (en) * 2008-12-19 2010-06-24 Tomas Burger Providing permission to perform action on an electronic ticket
US8296840B2 (en) * 2008-12-19 2012-10-23 Sap Ag Providing permission to perform action on an electronic ticket
US20100229231A1 (en) * 2009-03-04 2010-09-09 Kanako Iwai License management system, license management method and license management program
US8973155B2 (en) * 2009-03-04 2015-03-03 Nec Corporation License management system, license management method and license management program
US20110078759A1 (en) * 2009-09-30 2011-03-31 International Business Machines Corporation Method and System For Automating Security Policy Definition Based On Recorded Transactions
US8640195B2 (en) * 2009-09-30 2014-01-28 International Business Machines Corporation Method and system for automating security policy definition based on recorded transactions
US20110191485A1 (en) * 2010-02-03 2011-08-04 Os Nexus, Inc. Role based access control utilizing scoped permissions
WO2011097134A1 (en) * 2010-02-03 2011-08-11 Os Nexus, Inc. Role based access control utilizing scoped permissions
US9953178B2 (en) 2010-02-03 2018-04-24 Os Nexus, Inc. Role based access control utilizing scoped permissions
US20120166983A1 (en) * 2010-12-28 2012-06-28 Hilmar Demant Integrated metadata and nested authorizations in a user interface framework
US8839375B2 (en) 2012-05-25 2014-09-16 Microsoft Corporation Managing distributed operating system physical resources
CN104380301A (en) * 2012-05-25 2015-02-25 微软公司 Managing distributed operating system physical resources
WO2013176968A1 (en) * 2012-05-25 2013-11-28 Microsoft Corporation Managing distributed operating system physical resources
DE102013222384B4 (en) 2012-11-19 2023-09-14 International Business Machines Corporation Context-based security screening for access to data
US9503482B1 (en) 2015-11-05 2016-11-22 International Business Machines Corporation Providing a common security policy for a heterogeneous computer architecture environment
US9967288B2 (en) 2015-11-05 2018-05-08 International Business Machines Corporation Providing a common security policy for a heterogeneous computer architecture environment
US9769211B2 (en) 2015-11-05 2017-09-19 International Business Machines Corporation Providing a common security policy for a heterogeneous computer architecture environment
US9769212B2 (en) 2015-11-05 2017-09-19 International Business Machines Corporation Providing a common security policy for a heterogeneous computer architecture environment
US20180144150A1 (en) * 2016-11-22 2018-05-24 Sap Se Unified instance authorization based on attributes and hierarchy assignment
US10740483B2 (en) * 2016-11-22 2020-08-11 Sap Se Unified instance authorization based on attributes and hierarchy assignment
US20190340554A1 (en) * 2018-05-07 2019-11-07 Microsoft Technology Licensing, Llc Engagement levels and roles in projects

Also Published As

Publication number Publication date
EP2132642A1 (en) 2009-12-16
CN101652767A (en) 2010-02-17
WO2008121471A1 (en) 2008-10-09
EP2132642A4 (en) 2011-05-25

Similar Documents

Publication Publication Date Title
US20080244736A1 (en) Model-based access control
RU2586866C2 (en) Differentiation of set of features of participant of leased medium and user
US11341118B2 (en) Atomic application of multiple updates to a hierarchical data structure
JP5162094B2 (en) Method and apparatus for metadata-driven business logic processing
US8806185B2 (en) System and method for automatic configuration of portal composite applications
US7676831B2 (en) Role-based access control management for multiple heterogeneous application components
JP5623271B2 (en) Information processing apparatus, authority management method, program, and recording medium
US10609034B2 (en) Hierarchical permissions model for case management
US20140181801A1 (en) System and method for deploying preconfigured software
EP1922625A2 (en) Dual layered access control list
WO2009036896A2 (en) Method and system for managing security policies
US8589306B1 (en) Open source license management
US20210103863A1 (en) Cross-enterprise workflow adaptation
US20210360038A1 (en) Machine policy configuration for managed devices
US20170371890A1 (en) Establishing and enforcing selective object deletion operations on cloud-based shared content
US20200233907A1 (en) Location-based file recommendations for managed devices
US20170206371A1 (en) Apparatus and method for managing document based on kernel
US11263337B2 (en) Continuous engineering migration of digital twin files from private to open sourced
EP2750350A1 (en) System and method for deploying preconfigured software
WO2018057881A1 (en) Different hierarchies of resource data objects for managing system resources
JP2007004610A (en) Complex access approval method and device
Weippl et al. SemanticLIFE Collaboration: Security Requirements and solutions–security aspects of semantic knowledge management
US20090030938A1 (en) System and method for providing data handling within a human capital management system
AU2004279184B2 (en) System and method for providing REA model based security
US11562033B2 (en) Systems and methods for enhanced content management interoperability services interfaces and repository integration

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LAMPSON, BUTLER;PANDYA, RAVI;LEACH, PAUL J;AND OTHERS;REEL/FRAME:019100/0300;SIGNING DATES FROM 20070327 TO 20070330

AS Assignment

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: CORRECTIVE ASSIGNMENT TO CORRECT THE ASSIGNOR RAVI PANDYA'S NAME TO BE HIS FULL NAME OF RAVINDRA NATH PANDYA PREVIOUSLY RECORDED ON REEL 019100 FRAME 0300. ASSIGNOR(S) HEREBY CONFIRMS THE CORRECTIVE ASSIGNMENT.;ASSIGNORS:LAMPSON, BUTLER;PANDYA, RAVINDRA NATH;LEACH, PAUL J;AND OTHERS;REEL/FRAME:020565/0532;SIGNING DATES FROM 20070327 TO 20080226

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO PAY ISSUE FEE

AS Assignment

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034766/0509

Effective date: 20141014